24sessions - Information Security
As a company that takes data security and privacy very seriously, we recognize that 24sessions's information security practices are important to you.
While we don’t like to expose too much detail around our practices (as it can empower the very people we are protecting ourselves against), we have provided some general information below to give you confidence in how we secure the data entrusted to us.
We are based in the EU (The Netherlands), operate according to ISO27001 standards, comply with GDPR regulations and have centered our technology, processes and people according to the EU privacy regulations.
Data Center Security
24sessions establishes thousands of video meetings for our clients. Therefore we use multiple world-class data centers around the world. We have DDOS mitigation in place at all of our data centers. Our data centers manage physical security 24/7 with biometric scanners and the usual high tech stuff that data centers always brag about. We have documented a “Business Continuity Plan” for all different kind of scenarios.
24sessions application level security
All of 24sessions video chats are protected by end-to-end encryption. 24sessions account passwords are hashed. Our own staff can't even view them. If you lose your password, it can't be retrieved—it must be reset. Login pages and logins via the 24sessions API have brute force protection. Sensitive data (including recordings) is protected by encryption in transfer and rest. All data transfers to websites (such as login pages or API) and subservices are protected by SSL encryption. All reported bugs will be assigned to the system architect who will perform an investigation and risk assessment. We perform regular external security penetration tests throughout the year using different vendors. The tests involve high-level server penetration tests, in-depth testing for vulnerabilities inside the application, and social engineering drills. Our credit card processing vendor uses security measures to protect your information both during the transaction and after it is completed.
Protecting ourselves, against you
Yes, you heard that correctly. We can secure ourselves like Fort Knox, but if your computer gets compromised and someone gets into your 24sessions account, that's not good for either of us. We monitor and will automatically suspend accounts for signs of irregular or suspicious login activity. Certain changes to your account, such as to your password, will trigger email notifications to the account owner. We monitor accounts for signs of abuse.We provide the ability to establish tiered-levels of access within accounts.
Protection from data loss
All data is backed up. Database engine provides point-in-time recovery for data during the retention period. All databases are kept isolated and dedicated to preventing corruption and overlap. 24sessions account data is regularly backed up and stored in geographically distributed sites (all in Europe).
Internal protocol and Education
We have an internal security team constantly monitoring the company and services for vulnerabilities. 24sessions maintain an access control policy covering access restrictions and password policies. We maintain secure application development standards. All developers receive regular security training about the importance of privacy and security by design. We continuously train employees on security practices, including how to identify social engineering, phishing scams, and hackers. Employees on teams that have access to customer data (such as tech support and our engineers) undergo background check prior to employment. All employees sign the Information Security Staff Guidelines and receive Information security training outlining their responsibility in protecting customer data.
Investing in your privacy
Our Legal team partners with our developers and engineers to make sure our products and features comply with applicable privacy laws. We retain a law firm in the Netherlands to consult on EU privacy issues